Automatic or manual Active Directory authentication in asp.net mvc - asp.net

I'm working on an asp.net mvc web app that is supposed to:
Automatically login someone if they are a valid user in Active Directory.
If the client is outside of the network (they're at home or whatever), allow them to manually login with their AD credentials through a login form.
I'm very new to AD authentication, I'm confused as to if I should be using Forms Authentication or Windows Authentication.
I have this in my web.config:
<add name="ADConnect" connectionString="LDAP://[something]/CN=dhr,DC=[something],DC=net" />
If I set: <authentication mode="Windows">
I can check User.Identity.IsAuthenticated in the controller to determine if they're logged in. If they're not, am I supposed to use this?:
Membership.ValidateUser("someguy", "somepass");
I get an error about making a secure connection to the server if I run the above. I have this as my provider:
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<clear />
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnect" attributeMapUsername="sAMAccountName"
/>
</providers>
</membership>

Typically, network administrators prevent web applications that use windows authentication to expose to the internet due to security reasons. This is definitely possible, but you need to make sure that second scenario is valid and possible in your organization. A common scenario to connect from the internet is to use VPN which will log in you to the network (means you will be authenticated against AD).
To perform only authentication for the first scenario you do no need the AspNetActiveDirectoryMembershipProvider. An authentication (validation of user identity) usually only required to be set
in web.config: authentication mode="Windows" and authorization
on IIS: set integrated windows authentication to ON
on IIS: if you have second scenario (or if you have different domains, etc) keep anonymous access as ON - it should prompt with standard login propmt;otherwise set it OFF

Related

How to configure SSRS without using my Windows login and password?

The way SSRS in my project works, it requires my Windows User Login and password in the web.config file of the ASP.NET application which calls the reports. This is a problem since i have to change the password every 90 days as a security measure. Is it possible to configure SSRS without any employees Login and password ?
This is the part that worries me
<add key="ReportServerUsername" value="me" />
<add key="ReportServerPassword" value="my password" />
<add key="ReportServerDomainname" value="my domain />
Yes, set it up to use impersonated/delegated credentials.
You will have to configure the web application to use integrated authentication, then set the correct attribute in the config file.
<authentication mode="Windows"/>
<identity impersonate="true"/>
If done this way, each user will be accessing the database using their own username and password, so you will want to set up security appropriately. This means creating
NT Group - Add users to this group
Server Login - Create a DB login for the group
DB user - create a db user for the login
db role - create a db role, and assign it to the login
Permissions - give the role the needed permissions on database objects

ASP.net Windows Authentication with custom database

I'm creating an intranet website that requires Windows Authentication. I already set up everything, or I think I did, to use windows authentication and roles managed in a database. That's important because I can't use the Active Directory groups and roles.
It works. When I enter the website it display my Windows user name and it is accesible with User.Identity.Name. I can validate a role using User.IsInRole("roleName") and it works too.
Now the problem I have is that when I use Membership.GetUser and Membership.GetAllUsers I always get null and an empty collection.
My RoleManager Provider is:
<add
name="SqlRoleManager"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="ApplicationServices"
applicationName="/appName"
/>
And my Membership Provider is this one:
<add
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="ApplicationServices"
applicationName="/appName"
/>
Am I missing something or my config is wrong?
Thanks!
Why do you want to call Membership.GetUser? You are already authenticated via Windows Authentication. If you want to use Membership with Windows Authentication (why, i don't know), you have to jump through some more hoops.
You can use the ActiveDirectoryMembershipProvider, rather than SqlMembershipProvider. This lets you call GetUser and retrieve AD information.
You can copy the Windows Authentication information into a SqlMembership database on login.
You can create a custom membership provider that allows you to do all the authentication yourself.
So, the first question is why do you want to use Membership?

How to maintain Forms authentication session state between Azure Web Roles?

I have deployed a RIA Services enabled Silverlight Business application on Azure that uses Forms authentication.
To enable Forms authentication on Azure, I have implemented the Table Storage providers from the Azure Toolkit. It almost works, but I have problems with keeping the session state. After I have logged in, and repeatedly presses F5 to refresh the page I switch between being logged in and logged out.
I have two Web Role Instances, and if I disable one of the it works like a charm. But as soon as I enable the second instance it's back to this sporadic behaviour. So clearly the state is not preserved because of the load balancing. Fine, I forgot to implement the Session provider, so I did:
<sessionState mode="Custom" customProvider="TableStorageSessionStateProvider">
<providers>
<clear />
<add name="TableStorageSessionStateProvider"
type="Microsoft.Samples.ServiceHosting.AspProviders.TableStorageSessionStateProvider"
applicationName="AppAdmin"
/>
</providers>
</sessionState>
Sadly, that didn't help.
Update: The actual table (Session) is created in the Table Storage, but no data is in there.
Any ideas and/or suggestions?
Have you set your machine key in web.config?

proper IIS 6 configuration for forms authentication

I'm using Forms Authentication in my current ASP.NET Web Application (not MVC) and my IIS 6 server is configured with the following options:
in the [directory security tab] -> [Authentication Methods] I have:
the anonymous access Enabled
Integrated windows authentication Enabled
Do the above options prevent Forms Authentication from working properly? In other words, what is the proper IIS 6 configuration for Forms Authentication?
EDIT
I just made test with the two options above enabled and the Forms Authentication session expired and redirected me to the login page, but all the answers so far advise that [Integrated windows authentication] should be off!
Here is a check list for using ASP.NET Forms Authentication on IIS6
Configure IIS:
In IIS, Site Properties -> Directory Security -> Authentication and Access Control
Enable Anonymous Access
Disable all Authenticated access methods
Configure Forms Authentication:
Configure Forms Authentication in your site's web.config:
<authentication mode="Forms">
<forms name="MySite"
path="/"
loginUrl="~/logon.aspx"
protection="All"
timeout="30"
slidingExpiration="true" />
</authentication>
Your name and loginUrl may vary. The slidigExpiration attribute is used to keep extending the forms authentication cookie lifetime rather than just kicking the user off of the site after the timeout has expired. The timeout value is in minutes.
Configure Session Timeout:
You need to configure your session state timeout to be longer than your Forms Authentication ticket expiry. If you don't do this then an idle session can time out the session but leave the user logged in. Code that expects Session values to be present will throw exceptions because they are gone even though they are still authenticated. The timeout value is also in minutes.
<sessionState mode="InProc" timeout="40" />
Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
See here http://msdn.microsoft.com/en-us/library/ff647070.aspx for more information.
The anonymous access should be enabled, I don't think integrated windows authentication makes a difference but if you're not going to need it then it's best to turn it off. The important thing to remember is to make sure it's turned on in web.config:
<authentication mode="Forms" />
Here's a basic tutorial that might be useful:
Overview of Forms Authentication
Anonymous access -> checked
All other option on the security tab -> unchecked
Note, forms authentication is done by .NET - not by IIS. Also, Windows Authentication MUST be off as well.
Rather technical explanaitions by MS.

Retrieving the Windows username from a logged-in machine through an intranet application

How can an application, running on a production server, access the login username of the machine that a user is accessing an application from? For example, I am currently logged into my machine on the INTRA corporate intranet. My username will be INTRA\Username.
I have added specific usernames to a database and wish to check this intranet username against the database to restrict access to an application and leverage the username across the application.
Currently, I am using the following code to access the username:
Private username As String = Thread.CurrentPrincipal.Identity.Name
This is working great on localhost, but when authenticating against the database on a development server, I'm getting the following error:
Login failed for user 'NT
AUTHORITY\ANONYMOUS LOGON'.
Is this an incorrect approach? Is this even possible, or is it too much of a security issue? This application will be an internal intranet application running in an IE shop. Relevant pieces of web.config that already exist include:
<identity impersonate="true"/>
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>
<connectionStrings>
<add name="CONNSTR" connectionString="Initial Catalog=DATANAME;Data Source=servername;Integrated Security=True;" providerName="System.Data.SqlClient"/>
</connectionStrings>
When setting up your web application on the server, you need to go into the Document Security section (the name of it changes depending on what version of IIS your server is running, but it's something like that), turn off anonymous authentication, and turn on Windows authentication. That tells the server to request windows login authentication from the browser. (Perhaps someone who knows web.config files better than I [which is nearly anyone] can edit this to point to the relevant bit; I don't think it's impersonate but if I knew, I'd say. I've so far only done this via the UI.)
in your example, you are locating the username that your webserver is running under. What you are after is the username of the user accessing the page.
Try something like this:
How To: Use Windows Authentication in ASP.NET 2.0
If setting the directory security to Windows Authentication is not working, change it to Basic Authentication. You'll also need to specify the domain name to authenticate against. This was the only way we could get the security to propagate through from the IIS layer to the DB. Unfortunately this causes the username and password to be sent through clear text. Its not the best solution, but since things were on the Intranet, it worked while we work on updating our login procedure.

Resources